Re: [Development] [Announce] Security advisory: Freetype in Qt

Thu, 28 Jul 2022 08:32:09 -0700 

Hi,

On 27/07/2022 22:23, Thiago Macieira wrote:

On Wednesday, 27 July 2022 11:47:20 PDT Giuseppe D'Angelo via Development
wrote:

Right now, if one selects "LTS" and "Latest releases" (and *not*
"Archive"), one gets

* 6.3.1
* 6.2.4
* 5.15.2

all of which are bugged AFAICT?


Non-commercial customers shouldn't even see the option for LTS, since it's not
LTS for them. There should only be "Latest releases".

Yes, it means that to find Qt 5, you'll need to go look in the Archive.



Trying to summarize:
1) The current opensource binary downloads, marked "LTS" / "Latest releases", are all bugged. Given they will never get a binary update for 5.15 or 6.2, I don't think it makes any sense to keep them available under those labels -- they should be in "Archive" or so.
6.3.2 should be released in a few weeks and I'm assuming will contain the fix in question? (As well as being provided as binary downloads.)
2) The current *source* downloads for 5.15 (esp. the latest, 5.15.5) don't have a clean patch against them.
Yes, one could always build Qt against a vanilla fixed Freetype, or replace (if that's easy/possible) the freetype in src/3rdparty/, that's not the point though.
3) Most importantly: will the _future_ source downloads for 5.15 / 6.2 (e.g. 5.15.6, due in September) also be affected? I'd assume yes, if they're faithful to the "tagging" in the repositories, done a year ago.
Are further patches (that apply against them) going to be published? Or will it be the case that 5.15.6 isn't really going to be a "release", but mostly something like "5.15.6's source is now publicly accessible"?
(To me it makes zero sense to "release" something with known vulnerabilities.) 


Thanks,

--
Giuseppe D'Angelo | [email protected] | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - The Qt, C++ and OpenGL Experts

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Development mailing list
[email protected]
https://lists.qt-project.org/listinfo/development
  • ... List for announcements regarding Qt releases and development via Development
    • ... Giuseppe D'Angelo via Development
      • ... Andy Shaw
      • ... Thiago Macieira
        • ... Giuseppe D'Angelo via Development
          • ... Thiago Macieira
            • ... Scott Bloom
              • ... Thiago Macieira
                • ... Scott Bloom
                • ... Kevin Kofler via Development
            • ... Giuseppe D'Angelo via Development
              • ... Volker Hilsheimer
                • ... Albert Astals Cid
                • ... Kevin Kofler via Development
                • ... Volker Hilsheimer
                • ... Albert Astals Cid
                • ... Albert Astals Cid
    • ... Albert Astals Cid
      • ... Thiago Macieira
        • ... Ahmad Samir
          • ... Thiago Macieira

Reply via email to